Conflict between SNI and HTTP provided domains

apache-2.2 virtualhost

I have recently moved a WordPress website with a small store from a hosting provider to a server of my own running Ubuntu Server 12.04.2 LTS and Apache 2.2.22. I require SSL for the store. I set up a couple of simple vhosts on a new IP for the server, one binding to port 80 of the specific IP and the other binding to port 443. Both have ServerName www.example.com and ServerAlias example.com in the vhost config. I have SSLStrictSNIVHostCheck off.

The site is running very slow, but is working. I'm getting the following in my error logs.

[Error] Hostname example.com provided via SNI and hostname www.example.com provided via HTTP are different

I expect that the slowness is related to the above message. Any ideas on why that is appearing and what I can do about it?


Solution 1:

Look at your access log (not the error log). With the time and date of the error you should be able to identify the offending request and find out the user agent. In my case, it was a bot:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"

My Server answers with HTTP 400: Bad Request.

Unless I am mistaken, in TLS negotiations, the client sends the host name twice: once BEFORE the SSL connection is established in the SNI (Server Name Indication) and once AFTER in the actual HTTP request. If the server names mismatch, this would indicate a broken client and should have nothing to do with how your server is configured.

Maybe they will fix their bot someday, in the meantime you can probably ignore it. I doubt this can cause slowness on the host, unless the requests come at a very high rate.

Solution 2:

Maybe this error is evoked intentionally by some clients to test vulnerabilities of your server. I have found that a request from researchscan367.eecs.umich.edu triggered the error on a server I maintain. In this case it is a good thing® that the error occurs.

I was curious what kind of attacks are possible, and I asked this question on Security Stack Exchange: What kind of attack is prevented by Apache2's error code AH02032?

Solution 3:

In my case the creation of a new virtualhost with an underscore was the problem. I have a wildcard SSL certificate.

Didn't work:

<VirtualHost *:443>
        SSLEngine on
        ServerName sub_domain.example.com
        Redirect / https://www.example.com/restofmyredirectlink
</VirtualHost>

Although Apache did successfully restart, I got HTTP 400 errors. In the error log:

[Wed Sep 05 11:28:00.349960 2018] [ssl:error] [pid 19906:tid 140392626808576] AH02031: Hostname sub_domain.example.com provided via SNI, but no hostname provided in HTTP request

But removing the underscore worked:

<VirtualHost *:443>
        SSLEngine on
        ServerName subdomain.example.com
        Redirect / https://www.example.com/restofmyredirectlink
</VirtualHost>

Solution 4:

Sounds like a client issue at first look... What browser is causing this issue?

The message would suggest the hostname the client sends during the ssl connectionsetup is not the same the client sends in the HTTPS request once the SSL layer is up.

Related

Installing imagick PHP extension on Ubuntu
How do you disable SMB printing support?
tcpdump filter on network and subnet mask
Static IP vs DHCP Reservation
Allow only local users in nginx
SFTP: file symlinks in a jailed (chrooted) directory
Hyper-V Clipboard and Integration Services in Ubuntu
How do you get multiple rows of tabs in Google Chrome?
Cannot change powershell default font to Lucida Console
How do I set Google Chrome to not allow javascript to hijack my right click menu
Can't Pin Some Applications to Start Menu in Windows 10
How to run a regex search on Google Chrome or Firefox?